From 42839c120b9817a351b9edbe5c804c60b2d0ef34 Mon Sep 17 00:00:00 2001
From: Daniel Czerwonk <daniel@dan-nrw.de>
Date: Sun, 1 Jul 2018 23:19:51 +0200
Subject: [PATCH] fixed out of bounds

---
 protocols/bgp/packet/mp_reach_nlri.go   | 15 +++++++++++++--
 protocols/bgp/packet/mp_unreach_nlri.go | 14 ++++++++++++--
 2 files changed, 25 insertions(+), 4 deletions(-)

diff --git a/protocols/bgp/packet/mp_reach_nlri.go b/protocols/bgp/packet/mp_reach_nlri.go
index e6ec075e..497bc7a2 100644
--- a/protocols/bgp/packet/mp_reach_nlri.go
+++ b/protocols/bgp/packet/mp_reach_nlri.go
@@ -58,12 +58,23 @@ func deserializeMultiProtocolReachNLRI(b []byte) (MultiProtocolReachNLRI, error)
 
 	variable = variable[1+nextHopLength:]
 
-	idx := uint8(0)
 	n.Prefixes = make([]bnet.Prefix, 0)
+
+	if len(variable) == 0 {
+		return n, nil
+	}
+
+	idx := uint8(0)
 	for idx < uint8(len(variable)) {
 		l := numberOfBytesForPrefixLength(variable[idx])
+		start := idx + 1
+		end := idx + 1 + l
+		r := uint8(len(variable)) - idx - 1
+		if r < l {
+			return MultiProtocolReachNLRI{}, fmt.Errorf("expected %d bytes for NLRI, only %d remaining", l, r)
+		}
 
-		pfx, err := deserializePrefix(variable[idx+1:idx+1+l], variable[idx], n.AFI)
+		pfx, err := deserializePrefix(variable[start:end], variable[idx], n.AFI)
 		if err != nil {
 			return MultiProtocolReachNLRI{}, err
 		}
diff --git a/protocols/bgp/packet/mp_unreach_nlri.go b/protocols/bgp/packet/mp_unreach_nlri.go
index 35f3cadf..7b42c4ce 100644
--- a/protocols/bgp/packet/mp_unreach_nlri.go
+++ b/protocols/bgp/packet/mp_unreach_nlri.go
@@ -2,6 +2,7 @@ package packet
 
 import (
 	"bytes"
+	"fmt"
 
 	bnet "github.com/bio-routing/bio-rd/net"
 	"github.com/taktv6/tflow2/convert"
@@ -41,12 +42,21 @@ func deserializeMultiProtocolUnreachNLRI(b []byte) (MultiProtocolUnreachNLRI, er
 		return MultiProtocolUnreachNLRI{}, err
 	}
 
+	if len(prefix) == 0 {
+		return n, nil
+	}
+
 	idx := uint8(0)
-	n.Prefixes = make([]bnet.Prefix, 0)
 	for idx < uint8(len(prefix)) {
 		l := numberOfBytesForPrefixLength(prefix[idx])
+		start := idx + 1
+		end := idx + 1 + l
+		r := uint8(len(prefix)) - idx - 1
+		if r < l {
+			return MultiProtocolUnreachNLRI{}, fmt.Errorf("expected %d bytes for NLRI, only %d remaining", l, r)
+		}
 
-		pfx, err := deserializePrefix(prefix[idx+1:idx+1+l], prefix[idx], n.AFI)
+		pfx, err := deserializePrefix(prefix[start:end], prefix[idx], n.AFI)
 		if err != nil {
 			return MultiProtocolUnreachNLRI{}, err
 		}
-- 
GitLab